Nextcloud Server

Nextcloud is an Open Source private cloud software

CVE-2023-25821 7.5 - High - February 25, 2023

Nextcloud is an Open Source private cloud software. Versions 24.0.4 and above, prior to 24.0.7, and 25.0.0 and above, prior to 25.0.1, contain Improper Access Control. Secure view for internal shares can be circumvented if reshare permissions are also given. This issue is patched in versions 24.0.7 and 25.0.1. No workaround is available.

Nextcloud is an Open Source private cloud software

CVE-2023-25816 6.5 - Medium - February 25, 2023

Nextcloud is an Open Source private cloud software. Versions 25.0.0 and above, prior to 25.0.3, are subject to Uncontrolled Resource Consumption. A user can configure a very long password, consuming more resources on password validation than desired. This issue is patched in 25.0.3 No workaround is available.

Resource Exhaustion

Nextcloud server is a self hosted home cloud product

CVE-2023-25579 7.5 - High - February 22, 2023

Nextcloud server is a self hosted home cloud product. In affected versions the `OC\Files\Node\Folder::getFullPath()` function was validating and normalizing the string in the wrong order. The function is used in the `newFile()` and `newFolder()` items, which may allow to creation of paths outside of ones own space and overwriting data from other users with crafted paths. This issue has been addressed in versions 25.0.2, 24.0.8, and 23.0.12. Users are advised to upgrade. There are no known workarounds for this issue.

Directory traversal

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform

CVE-2023-25161 5.3 - Medium - February 13, 2023

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 25.0.1 24.0.8, and 23.0.12 missing rate limiting on password reset functionality. This could result in service slowdown, storage overflow, or cost impact when using external email services. Users should upgrade to Nextcloud Server 25.0.1, 24.0.8, or 23.0.12 or Nextcloud Enterprise Server 25.0.1, 24.0.8, or 23.0.12 to receive a patch. No known workarounds are available.

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform

CVE-2023-25162 5.3 - Medium - February 13, 2023

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server prior to 24.0.8 and 23.0.12 and Nextcloud Enterprise server prior to 24.0.8 and 23.0.12 are vulnerable to server-side request forgery (SSRF). Attackers can leverage enclosed alphanumeric payloads to bypass IP filters and gain SSRF, which would allow an attacker to read crucial metadata if the server is hosted on the AWS platform. Nextcloud Server 24.0.8 and 23.0.2 and Nextcloud Enterprise Server 24.0.8 and 23.0.12 contain a patch for this issue. No known workarounds are available.

XSPA

Nextcloud Server is the file server software for Nextcloud

CVE-2023-25159 5.3 - Medium - February 13, 2023

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Office is a document collaboration app for the same platform. Nextcloud Server 24.0.x prior to 24.0.8 and 25.0.x prior to 25.0.1, Nextcloud Enterprise Server 24.0.x prior to 24.0.8 and 25.0.x prior to 25.0.1, and Nextcloud Office (Richdocuments) App 6.x prior to 6.3.1 and 7.x prior to 7.0.1 have previews accessible without a watermark. The download should be hidden and the watermark should get applied. This issue is fixed in Nextcloud Server 25.0.1 and 24.0.8, Nextcloud Enterprise Server 25.0.1 and 24.0.8, and Nextcloud Office (Richdocuments) App 7.0.1 (for 25) and 6.3.1 (for 24). No known workarounds are available.

Nextcloud Server is an open source personal cloud server

CVE-2022-41968 5.3 - Medium - December 01, 2022

Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.10 and 24.0.5, calendar name lengths are not validated before writing to a database. As a result, an attacker can send unnecessary amounts of data against the database. Version 23.0.10 and 24.0.5 contain patches for the issue. No known workarounds are available.

Resource Exhaustion

Nextcloud Server is an open source personal cloud server

CVE-2022-41969 2.7 - Low - December 01, 2022

Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.11, 24.0.7, and 25.0.0, there is no password length limit when creating a user as an administrator. An administrator can cause a limited DoS attack against their own server. Versions 23.0.11, 24.0.7, and 25.0.0 contain a fix for the issue. As a workaround, don't create user accounts with long passwords.

Weak Password Requirements

Nextcloud Server is an open source personal cloud server

CVE-2022-41970 5.3 - Medium - December 01, 2022

Nextcloud Server is an open source personal cloud server. Prior to versions 24.0.7 and 25.0.1, disabled download shares still allow download through preview images. Images could be downloaded and previews of documents (first page) can be downloaded without being watermarked. Versions 24.0.7 and 25.0.1 contain a fix for this issue. No known workarounds are available.

AuthZ

Nextcloud server is an open source personal cloud server

CVE-2022-39346 6.5 - Medium - November 25, 2022

Nextcloud server is an open source personal cloud server. Affected versions of nextcloud server did not properly limit user display names which could allow a malicious users to overload the backing database and cause a denial of service. It is recommended that the Nextcloud Server is upgraded to 22.2.10, 23.0.7 or 24.0.3. There are no known workarounds for this issue.

Improper Input Validation

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform

CVE-2022-39364 6.5 - Medium - October 27, 2022

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server prior to versions 23.0.9 and 24.0.5 and Nextcloud Enterprise Server prior to versions 22.2.10.5, 23.0.9, and 24.0.5 an attacker reading `nextcloud.log` may gain knowledge of credentials to connect to a SharePoint service. Nextcloud Server versions 23.0.9 and 24.0.5 and Nextcloud Enterprise Server versions 22.2.10.5, 23.0.9, and 24.0.5 contain a patch for this issue. As a workaround, set `zend.exception_ignore_args = On` as an option in `php.ini`.

Cleartext Storage of Sensitive Information

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform

CVE-2022-39329 5.3 - Medium - October 27, 2022

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 23.0.9 and 24.0.5 are vulnerable to exposure of information that cannot be controlled by administrators without direct database access. Versions 23.0.9 and 24.0.5 contains patches for this issue. No known workarounds are available.

AuthZ

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform

CVE-2022-39330 4.3 - Medium - October 27, 2022

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server prior to versions 23.0.10 and 24.0.6 and Nextcloud Enterprise Server prior to versions 22.2.10, 23.0.10, and 24.0.6 are vulnerable to a logged-in attacker slowing down the system by generating a lot of database/cpu load. Nextcloud Server versions 23.0.10 and 24.0.6 and Nextcloud Enterprise Server versions 22.2.10, 23.0.10, and 24.0.6 contain patches for this issue. As a workaround, disable the Circles app.

Resource Exhaustion

Nextcloud server is an open source personal cloud platform

CVE-2022-39211 5.3 - Medium - September 16, 2022

Nextcloud server is an open source personal cloud platform. In affected versions it was found that locally running webservices can be found and requested erroneously. It is recommended that the Nextcloud Server is upgraded to 23.0.8 or 24.0.4. It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.10.4, 23.0.8 or 24.0.4. There are no known workarounds for this issue.

XSPA

Nextcloud server is an open source personal cloud product

CVE-2022-36074 7.5 - High - September 15, 2022

Nextcloud server is an open source personal cloud product. Affected versions of this package are vulnerable to Information Exposure which fails to strip the Authorization header on HTTP downgrade. This can lead to account access exposure and compromise. It is recommended that the Nextcloud Server is upgraded to 23.0.7 or 24.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.11, 23.0.7 or 24.0.3. There are no known workarounds for this issue.

Exposure of Resource to Wrong Sphere

Nextcloud server is an open source personal cloud solution

CVE-2022-31120 2.7 - Low - August 04, 2022

Nextcloud server is an open source personal cloud solution. The audit log is used to get a full trail of the actions which has been incompletely populated. In affected versions federated share events were not properly logged which would allow brute force attacks to go unnoticed. This behavior exacerbates the impact of CVE-2022-31118. It is recommended that the Nextcloud Server is upgraded to 22.2.7, 23.0.4 or 24.0.0. There are no workarounds available.

Nextcloud server is an open source personal cloud solution

CVE-2022-31118 5.3 - Medium - August 04, 2022

Nextcloud server is an open source personal cloud solution. In affected versions an attacker could brute force to find if federated sharing is being used and potentially try to brute force access tokens for federated shares (`a-zA-Z0-9` ^ 15). It is recommended that the Nextcloud Server is upgraded to 22.2.9, 23.0.6 or 24.0.2. Users unable to upgrade may disable federated sharing via the Admin Sharing settings in `index.php/settings/admin/sharing`.

Improper Restriction of Excessive Authentication Attempts

Nextcloud server is an open source personal cloud server

CVE-2022-31014 3.5 - Low - July 05, 2022

Nextcloud server is an open source personal cloud server. Affected versions were found to be vulnerable to SMTP command injection. The impact varies based on which commands are supported by the backend SMTP server. However, the main risk here is that the attacker can then hijack an already-authenticated SMTP session and run arbitrary SMTP commands as the email user, such as sending emails to other users, changing the FROM user, and so on. As before, this depends on the configuration of the server itself, but newlines should be sanitized to mitigate such arbitrary SMTP command injection. It is recommended that the Nextcloud Server is upgraded to 22.2.8 , 23.0.5 or 24.0.1. There are no known workarounds for this issue.

Injection

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform

CVE-2022-29243 4.3 - Medium - May 31, 2022

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.7 and 23.0.4, missing input-size validation of new session names allows users to create app passwords with long names. These long names are then loaded into memory on usage, resulting in impacted performance. Versions 22.2.7 and 23.0.4 contain a fix for this issue. There are currently no known workarounds available.

Improper Input Validation

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform

CVE-2022-29163 4.3 - Medium - May 20, 2022

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.6 and 23.0.3, a user can create a link that is not password protected even if the administrator requires links to be password protected. Versions 22.2.6 and 23.0.3 contain a patch for this issue. There are currently no known workarounds.

Lack of Administrator Control over Security

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform

CVE-2022-24889 4.3 - Medium - April 27, 2022

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 21.0.8, 22.2.4, and 23.0.1, it is possible to trick administrators into enabling "recommended" apps for the Nextcloud server that they do not need, thus expanding their attack surface unnecessarily. This issue is fixed in versions 21.0.8 , 22.2.4, and 23.0.1.

Insufficient Verification of Data Authenticity

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform

CVE-2022-24888 4.3 - Medium - April 27, 2022

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 20.0.14.4, 21.0.8, 22.2.4, and 23.0.1, it is possible to create files and folders that have leading and trailing \n, \r, \t, and \v characters. The server rejects files and folders that have these characters in the middle of their names, so this might be an opportunity for injection. This issue is fixed in versions 20.0.14.4, 21.0.8, 22.2.4, and 23.0.1. There are currently no known workarounds.

Injection

Nextcloud text is a collaborative document editing using Markdown built for the nextcloud server

CVE-2021-41233 5.3 - Medium - March 10, 2022

Nextcloud text is a collaborative document editing using Markdown built for the nextcloud server. Due to an issue with the Nextcloud Text application, which is by default shipped with Nextcloud Server, an attacker is able to access the folder names of "File Drop". For successful exploitation an attacker requires knowledge of the sharing link. It is recommended that users upgrade their Nextcloud Server to 20.0.14, 21.0.6 or 22.2.1. Users unable to upgrade should disable the Nextcloud Text application in the application settings.

AuthZ

Nextcloud server is an open source, self hosted cloud style services platform

CVE-2022-24741 6.5 - Medium - March 09, 2022

Nextcloud server is an open source, self hosted cloud style services platform. In affected versions an attacker can cause a denial of service by uploading specially crafted files which will cause the server to allocate too much memory / CPU. It is recommended that the Nextcloud Server is upgraded to 21.0.8 , 22.2.4 or 23.0.1. Users unable to upgrade should disable preview generation with the `'enable_previews'` config flag.

Resource Exhaustion

Nextcloud server is a self hosted system designed to provide cloud style services

CVE-2021-41241 4.3 - Medium - March 08, 2022

Nextcloud server is a self hosted system designed to provide cloud style services. The groupfolders application for Nextcloud allows sharing a folder with a group of people. In addition, it allows setting "advanced permissions" on subfolders, for example, a user could be granted access to the groupfolder but not specific subfolders. Due to a lacking permission check in affected versions, a user could still access these subfolders by copying the groupfolder to another location. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. Users unable to upgrade should disable the "groupfolders" application in the admin settings.

AuthZ

Nextcloud server is a self hosted system designed to provide cloud style services

CVE-2021-41239 5.3 - Medium - March 08, 2022

Nextcloud server is a self hosted system designed to provide cloud style services. In affected versions the User Status API did not consider the user enumeration settings by the administrator. This allowed a user to enumerate other users on the instance, even when user listings where disabled. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. There are no known workarounds.

Information Disclosure

Nextcloud is an open-source, self-hosted productivity platform

CVE-2021-41177 8.1 - High - October 25, 2021

Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, Nextcloud Server did not implement a database backend for rate-limiting purposes. Any component of Nextcloud using rate-limits (as as `AnonRateThrottle` or `UserRateThrottle`) was thus not rate limited on instances not having a memory cache backend configured. In the case of a default installation, this would notably include the rate-limits on the two factor codes. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5, or 22.2.0. As a workaround, enable a memory cache backend in `config.php`.

Insufficient anti-automation

Nextcloud server is an open source, self hosted personal cloud

CVE-2021-32802 9.8 - Critical - September 07, 2021

Nextcloud server is an open source, self hosted personal cloud. Nextcloud supports rendering image previews for user provided file content. For some image types, the Nextcloud server was invoking a third-party library that wasn't suited for untrusted user-supplied content. There are several security concerns with passing user-generated content to this library, such as Server-Side-Request-Forgery, file disclosure or potentially executing code on the system. The risk depends on your system configuration and the installed library version. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. These versions do not use this library anymore. As a workaround users may disable previews by setting `enable_previews` to `false` in `config.php`.

Inclusion of Functionality from Untrusted Control Sphere

Nextcloud server is an open source, self hosted personal cloud

CVE-2021-32801 5.5 - Medium - September 07, 2021

Nextcloud server is an open source, self hosted personal cloud. In affected versions logging of exceptions may have resulted in logging potentially sensitive key material for the Nextcloud Encryption-at-Rest functionality. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. If upgrading is not an option users are advised to disable system logging to resolve this issue until such time that an upgrade can be performed Note that ff you do not use the Encryption-at-Rest functionality of Nextcloud you are not affected by this bug.

Insertion of Sensitive Information into Log File

Nextcloud server is an open source, self hosted personal cloud

CVE-2021-32800 8.1 - High - September 07, 2021

Nextcloud server is an open source, self hosted personal cloud. In affected versions an attacker is able to bypass Two Factor Authentication in Nextcloud. Thus knowledge of a password, or access to a WebAuthN trusted device of a user was sufficient to gain access to an account. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. There are no workaround for this vulnerability.

Missing Authentication for Critical Function

Nextcloud Text is an open source plaintext editing application which ships with the nextcloud server

CVE-2021-32766 5.3 - Medium - September 07, 2021

Nextcloud Text is an open source plaintext editing application which ships with the nextcloud server. In affected versions the Nextcloud Text application returned different error messages depending on whether a folder existed in a public link share. This is problematic in case the public link share has been created with "Upload Only" privileges. (aka "File Drop"). A link share recipient is not expected to see which folders or files exist in a "File Drop" share. Using this vulnerability an attacker is able to enumerate folders in such a share. Exploitation requires that the attacker has access to a valid affected "File Drop" link share. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.0.1. Users who are unable to upgrade are advised to disable the Nextcloud Text application in the app settings.

Generation of Error Message Containing Sensitive Information

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer

CVE-2021-32728 6.5 - Medium - August 18, 2021

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Clients using the Nextcloud end-to-end encryption feature download the public and private key via an API endpoint. In versions prior to 3.3.0, the Nextcloud Desktop client fails to check if a private key belongs to previously downloaded public certificate. If the Nextcloud instance serves a malicious public key, the data would be encrypted for this key and thus could be accessible to a malicious actor. This issue is fixed in Nextcloud Desktop Client version 3.3.0. There are no known workarounds aside from upgrading.

Improper Certificate Validation

Nextcloud Server is a Nextcloud package that handles data storage

CVE-2021-32741 5.3 - Medium - July 12, 2021

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public share link mount endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.

Nextcloud Server is a Nextcloud package that handles data storage

CVE-2021-32734 5.3 - Medium - July 12, 2021

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, the Nextcloud Text application shipped with Nextcloud Server returned verbatim exception messages to the user. This could result in a full path disclosure on shared files. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. As a workaround, one may disable the Nextcloud Text application in Nextcloud Server app settings.

Generation of Error Message Containing Sensitive Information

Nextcloud Text is a collaborative document editing application that uses Markdown

CVE-2021-32733 6.1 - Medium - July 12, 2021

Nextcloud Text is a collaborative document editing application that uses Markdown. A cross-site scripting vulnerability is present in versions prior to 19.0.13, 20.0.11, and 21.0.3. The Nextcloud Text application shipped with Nextcloud server used a `text/html` Content-Type when serving files to users. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. As a workaround, use a browser that has support for Content-Security-Policy.

XSS

Nextcloud Server is a Nextcloud package that handles data storage

CVE-2021-32726 9.8 - Critical - July 12, 2021

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username, the previous user could gain access to their account. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.

Incorrect Ownership Assignment

Nextcloud Server is a Nextcloud package that handles data storage

CVE-2021-32725 5.3 - Medium - July 12, 2021

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, default share permissions were not being respected for federated reshares of files and folders. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.

Insecure Inherited Permissions

Nextcloud Server is a Nextcloud package that handles data storage

CVE-2021-32705 7.5 - High - July 12, 2021

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public DAV endpoint. This may have allowed an attacker to enumerate potentially valid share tokens or credentials. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.

Insufficient anti-automation

Nextcloud Server is a Nextcloud package that handles data storage

CVE-2021-32703 5.3 - Medium - July 12, 2021

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the shareinfo endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.

Insufficient anti-automation

Nextcloud Server is a Nextcloud package that handles data storage

CVE-2021-32688 8.8 - High - July 12, 2021

Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, the tokens were able to change their own permissions in versions prior to 19.0.13, 20.0.11, and 21.0.3. Thus fileystem limited tokens were able to grant themselves access to the filesystem. The issue is patched in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds aside from upgrading.

AuthZ

Nextcloud Server is a Nextcloud package that handles data storage

CVE-2021-32680 3.3 - Low - July 12, 2021

Nextcloud Server is a Nextcloud package that handles data storage. In versions priot to 19.0.13, 20.0.11, and 21.0.3, Nextcloud Server audit logging functionality wasn't properly logging events for the unsetting of a share expiration date. This event is supposed to be logged. This issue is patched in versions 19.0.13, 20.0.11, and 21.0.3.

Insufficient Logging

Nextcloud Server is a Nextcloud package that handles data storage

CVE-2021-32679 8.8 - High - July 12, 2021

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, filenames where not escaped by default in controllers using `DownloadResponse`. When a user-supplied filename was passed unsanitized into a `DownloadResponse`, this could be used to trick users into downloading malicious files with a benign file extension. This would show in UI behaviours where Nextcloud applications would display a benign file extension (e.g. JPEG), but the file will actually be downloaded with an executable file extension. The vulnerability is patched in versions 19.0.13, 20.0.11, and 21.0.3. Administrators of Nextcloud instances do not have a workaround available, but developers of Nextcloud apps may manually escape the file name before passing it into `DownloadResponse`.

Output Sanitization

Nextcloud Server is a Nextcloud package that handles data storage

CVE-2021-32678 5.3 - Medium - July 12, 2021

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controller (`OCSController`) using the `@BruteForceProtection` annotation. Risk depends on the installed applications on the Nextcloud Server, but could range from bypassing authentication ratelimits or spamming other Nextcloud users. The vulnerability is patched in versions 19.0.13, 20.0.11, and 21.0.3. No workarounds aside from upgrading are known to exist.

Insufficient anti-automation

Nextcloud server before 19.0.11

CVE-2021-22915 9.8 - Critical - June 11, 2021

Nextcloud server before 19.0.11, 20.0.10, 21.0.2 is vulnerable to brute force attacks due to lack of inclusion of IPv6 subnets in rate-limiting considerations. This could potentially result in an attacker bypassing rate-limit controls such as the Nextcloud brute-force protection.

Improper Restriction of Excessive Authentication Attempts

Nextcloud Server is a Nextcloud package that handles data storage

CVE-2021-32657 4.3 - Medium - June 01, 2021

Nextcloud Server is a Nextcloud package that handles data storage. In versions of Nextcloud Server prior to 10.0.11, 20.0.10, and 21.0.2, a malicious user may be able to break the user administration page. This would disallow administrators to administrate users on the Nextcloud instance. The vulnerability is fixed in versions 19.0.11, 20.0.10, and 21.0.2. As a workaround, administrators can use the OCC command line tool to administrate the Nextcloud users.

Resource Exhaustion

Nextcloud Server is a Nextcloud package that handles data storage

CVE-2021-32656 8.6 - High - June 01, 2021

Nextcloud Server is a Nextcloud package that handles data storage. A vulnerability in federated share exists in versions prior to 19.0.11, 20.0.10, and 21.0.2. An attacker can gain access to basic information about users of a server by accessing a public link that a legitimate server user added as a federated share. This happens because Nextcloud supports sharing registered users with other Nextcloud servers, which can be done automatically when selecting the "Add server automatically once a federated share was created successfully" setting. The vulnerability is patched in versions 19.0.11, 20.0.10, and 21.0.2 As a workaround, disable "Add server automatically once a federated share was created successfully" in the Nextcloud settings.

Authorization

Nextcloud Server is a Nextcloud package that handles data storage

CVE-2021-32655 3.5 - Low - June 01, 2021

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to convert a Files Drop link to a federated share. This causes an issue on the UI side of the sharing user. When the sharing user opens the sharing panel and tries to remove the "Create" privileges of this unexpected share, Nextcloud server would silently grant the share read privileges. The vulnerability is patched in versions 19.0.11, 20.0.10 and 21.0.2. No workarounds are known to exist.

Nextcloud Server is a Nextcloud package that handles data storage

CVE-2021-32654 9.1 - Critical - June 01, 2021

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to receive write/read privileges on any Federated File Share. Since public links can be added as federated file share, this can also be exploited on any public link. Users can upgrade to patched versions (19.0.11, 20.0.10 or 21.0.2) or, as a workaround, disable federated file sharing.

Insecure Direct Object Reference / IDOR

Nextcloud Server is a Nextcloud package that handles data storage

CVE-2021-32653 2.7 - Low - June 01, 2021

Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server versions prior to 19.0.11, 20.0.10, or 21.0.2 send user IDs to the lookup server even if the user has no fields set to published. The vulnerability is patched in versions 19.0.11, 20.0.10, and 21.0.2; no workarounds outside the updates are known to exist.

Insertion of Sensitive Information Into Sent Data

Nextcloud Server prior to 20.0.0 stores passwords in a recoverable format even when external storage is not configured.

CVE-2020-8296 6.7 - Medium - March 03, 2021

Nextcloud Server prior to 20.0.0 stores passwords in a recoverable format even when external storage is not configured.

Weak Password Requirements

Nextcloud Server prior to 20.0.6 is vulnerable to reflected cross-site scripting (XSS) due to lack of sanitization in `OC.Notification.show`.

CVE-2021-22878 4.8 - Medium - March 03, 2021

Nextcloud Server prior to 20.0.6 is vulnerable to reflected cross-site scripting (XSS) due to lack of sanitization in `OC.Notification.show`.

XSS

A missing user check in Nextcloud prior to 20.0.6 inadvertently populates a user's own credentials for other users external storage configuration when not already configured yet.

CVE-2021-22877 6.5 - Medium - March 03, 2021

A missing user check in Nextcloud prior to 20.0.6 inadvertently populates a user's own credentials for other users external storage configuration when not already configured yet.

AuthZ

A missing link validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11

CVE-2020-8294 5.4 - Medium - February 03, 2021

A missing link validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows execution of a stored XSS attack using Internet Explorer when saving a 'javascript:' URL in markdown format.

XSS

A wrong check in Nextcloud Server 19 and prior

CVE-2020-8295 7.5 - High - January 26, 2021

A wrong check in Nextcloud Server 19 and prior allowed to perform a denial of service attack when resetting the password for a user.

Resource Exhaustion

A missing input validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11

CVE-2020-8293 6.5 - Medium - January 26, 2021

A missing input validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows users to store unlimited data in workflow rules causing load and potential DDoS on later interactions and usage with those rules.

Resource Exhaustion

Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1

CVE-2020-8259 8.1 - High - November 16, 2020

Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the encryption keys.

Insufficiently Protected Credentials

Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1

CVE-2020-8152 4.4 - Medium - November 16, 2020

Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the public key to decrypt them later on.

Insufficiently Protected Credentials

A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1

CVE-2020-8133 5.3 - Medium - November 09, 2020

A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1 allowed an attacker to overwrite blocks in a file.

Improper Verification of Cryptographic Signature

A cryptographic issue in Nextcloud Server 19.0.1

CVE-2020-8150 4.1 - Medium - November 09, 2020

A cryptographic issue in Nextcloud Server 19.0.1 allowed an attacker to downgrade the encryption scheme and break the integrity of encrypted files.

Missing Encryption of Sensitive Data

A wrong configuration in Nextcloud Server 19.0.1 incorrectly made the user feel the passwordless WebAuthn is also a two factor verification by asking for the PIN of the passwordless WebAuthn but not verifying it.

CVE-2020-8236 6.8 - Medium - November 02, 2020

A wrong configuration in Nextcloud Server 19.0.1 incorrectly made the user feel the passwordless WebAuthn is also a two factor verification by asking for the PIN of the passwordless WebAuthn but not verifying it.

authentification

A logic error in Nextcloud Server 19.0.0 caused a plaintext storage of the share password when it was given on the initial create API call.

CVE-2020-8183 7.5 - High - November 02, 2020

A logic error in Nextcloud Server 19.0.0 caused a plaintext storage of the share password when it was given on the initial create API call.

Insufficiently Protected Credentials

A too small set of random characters being used for encryption in Nextcloud Server 18.0.4

CVE-2020-8173 2.2 - Low - November 02, 2020

A too small set of random characters being used for encryption in Nextcloud Server 18.0.4 allowed decryption in shorter time than intended.

Missing Encryption of Sensitive Data

A logic error in Nextcloud Server 19.0.0 caused a privilege escalation

CVE-2020-8223 6.5 - Medium - October 05, 2020

A logic error in Nextcloud Server 19.0.0 caused a privilege escalation allowing malicious users to reshare with higher permissions than they got assigned themselves.

Improper Privilege Management

A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.

CVE-2020-8225 7.5 - High - September 18, 2020

A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.

Cleartext Storage of Sensitive Information

An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2

CVE-2020-8154 7.7 - High - May 12, 2020

An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint.

Insecure Direct Object Reference / IDOR

An outdated 3rd party library in the Files PDF viewer for Nextcloud Server 18.0.2 caused a Cross-site scripting vulnerability when opening a malicious PDF.

CVE-2020-8155 5.4 - Medium - May 12, 2020

An outdated 3rd party library in the Files PDF viewer for Nextcloud Server 18.0.2 caused a Cross-site scripting vulnerability when opening a malicious PDF.

XSS

A missing check for IPv4 nested inside IPv6 in Nextcloud server < 17.0.1, < 16.0.7, and < 15.0.14

CVE-2020-8138 6.5 - Medium - March 20, 2020

A missing check for IPv4 nested inside IPv6 in Nextcloud server < 17.0.1, < 16.0.7, and < 15.0.14 allowed a Server-Side Request Forgery (SSRF) vulnerability when subscribing to a malicious calendar URL.

XSPA

A missing access control check in Nextcloud Server < 18.0.1

CVE-2020-8139 6.5 - Medium - March 20, 2020

A missing access control check in Nextcloud Server < 18.0.1, < 17.0.4, and < 16.0.9 causes hide-download shares to be downloadable when appending /download to the URL.

AuthZ

Improper preservation of permissions in Nextcloud Server 14.0.3 causes the event details to be leaked when sharing a non-public event.

CVE-2020-8117 4.3 - Medium - February 04, 2020

Improper preservation of permissions in Nextcloud Server 14.0.3 causes the event details to be leaked when sharing a non-public event.

Improper Preservation of Permissions

An authenticated server-side request forgery in Nextcloud server 16.0.1

CVE-2020-8118 5 - Medium - February 04, 2020

An authenticated server-side request forgery in Nextcloud server 16.0.1 allowed to detect local and remote services when adding a new subscription in the calendar application.

XSPA

Improper authorization in Nextcloud server 17.0.0 causes leaking of previews and files when a file-drop share link is opened

CVE-2020-8119 4.3 - Medium - February 04, 2020

Improper authorization in Nextcloud server 17.0.0 causes leaking of previews and files when a file-drop share link is opened via the gallery app.

AuthZ

A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer.

CVE-2020-8121 8.1 - High - February 04, 2020

A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer.

Exposure of Resource to Wrong Sphere

A missing check in Nextcloud Server 14.0.3 could give recipient the possibility to extend the expiration date of a share they received.

CVE-2020-8122 4.3 - Medium - February 04, 2020

A missing check in Nextcloud Server 14.0.3 could give recipient the possibility to extend the expiration date of a share they received.

Improper Input Validation

A bug in Nextcloud Server 15.0.2 causes pending 2FA logins to not be correctly expired when the password of the user is reset.

CVE-2019-15612 5.9 - Medium - February 04, 2020

A bug in Nextcloud Server 15.0.2 causes pending 2FA logins to not be correctly expired when the password of the user is reset.

Session Fixation

Dangling remote share attempts in Nextcloud 16

CVE-2019-15616 4.3 - Medium - February 04, 2020

Dangling remote share attempts in Nextcloud 16 allow a DNS pollution when running long.

Injection

A missing check in Nextcloud Server 17.0.0

CVE-2019-15617 5.4 - Medium - February 04, 2020

A missing check in Nextcloud Server 17.0.0 allowed an attacker to set up a new second factor when trying to login.

authentification

Missing escaping of HTML in the Updater of Nextcloud 15.0.5

CVE-2019-15618 4.8 - Medium - February 04, 2020

Missing escaping of HTML in the Updater of Nextcloud 15.0.5 allowed a reflected XSS when starting the updater from a malicious location.

XSS

Improper neutralization of file names

CVE-2019-15619 4.8 - Medium - February 04, 2020

Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others in a project.

XSS

Improper permissions preservation in Nextcloud Server 16.0.1 causes sharees to be able to reshare with write permissions when sharing the mount point of a share they received

CVE-2019-15621 6.5 - Medium - February 04, 2020

Improper permissions preservation in Nextcloud Server 16.0.1 causes sharees to be able to reshare with write permissions when sharing the mount point of a share they received, as a public link.

Improper Preservation of Permissions

Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it's domain and user IDs to the Nextcloud Lookup Server without any further data when the Lookup server is disabled.

CVE-2019-15623 5.3 - Medium - February 04, 2020

Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it's domain and user IDs to the Nextcloud Lookup Server without any further data when the Lookup server is disabled.

Improper Input Validation in Nextcloud Server 15.0.7

CVE-2019-15624 4.9 - Medium - February 04, 2020

Improper Input Validation in Nextcloud Server 15.0.7 allows group admins to create users with IDs of system folders.

Improper Input Validation

A missing check in the Nextcloud Server prior to version 15.0.1 causes leaking of calendar event names when adding or modifying confidential or private events.

CVE-2019-5449 4.3 - Medium - July 30, 2019

A missing check in the Nextcloud Server prior to version 15.0.1 causes leaking of calendar event names when adding or modifying confidential or private events.

Information Disclosure

Bypass lock protection in the Nextcloud Android app prior to version 3.6.1

CVE-2019-5451 4.6 - Medium - July 30, 2019

Bypass lock protection in the Nextcloud Android app prior to version 3.6.1 allows accessing the files when repeatedly opening and closing the app in a very short time.

Missing Authentication for Critical Function

A bug causing session fixation in Nextcloud Server prior to 14.0.0, 13.0.3 and 12.0.8 could potentially

CVE-2018-16463 3.1 - Low - October 30, 2018

A bug causing session fixation in Nextcloud Server prior to 14.0.0, 13.0.3 and 12.0.8 could potentially allow an attacker to obtain access to password protected shares.

Session Fixation

A missing access check in Nextcloud Server prior to 14.0.0 could lead to continued access to password protected link shares when the owner had changed the password.

CVE-2018-16464 5.7 - Medium - October 30, 2018

A missing access check in Nextcloud Server prior to 14.0.0 could lead to continued access to password protected link shares when the owner had changed the password.

authentification

Missing state in Nextcloud Server prior to 14.0.0

CVE-2018-16465 5.3 - Medium - October 30, 2018

Missing state in Nextcloud Server prior to 14.0.0 would not enforce the use of a second factor at login if the the provider of the second factor failed to load.

authentification

Improper revalidation of permissions in Nextcloud Server prior to 14.0.0

CVE-2018-16466 8.1 - High - October 30, 2018

Improper revalidation of permissions in Nextcloud Server prior to 14.0.0, 13.0.6 and 12.0.11 lead to not accepting access restrictions by acess tokens.

Improper Check for Dropped Privileges

A missing check in Nextcloud Server prior to 14.0.0 could give unauthorized access to the previews of single file password protected shares.

CVE-2018-16467 5.3 - Medium - October 30, 2018

A missing check in Nextcloud Server prior to 14.0.0 could give unauthorized access to the previews of single file password protected shares.

authentification

A missing sanitization of search results for an autocomplete field in NextCloud Server <13.0.5 could lead to a stored XSS requiring user-interaction

CVE-2018-3780 5.4 - Medium - August 13, 2018

A missing sanitization of search results for an autocomplete field in NextCloud Server <13.0.5 could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users.

XSS

Improper Authentication in Nextcloud Server prior to version 12.0.3 would allow an attacker

CVE-2018-3775 8.8 - High - August 12, 2018

Improper Authentication in Nextcloud Server prior to version 12.0.3 would allow an attacker that obtained user credentials to bypass the 2 Factor Authentication.

authentification

Improper input validator in Nextcloud Server prior to 12.0.3 and 11.0.5 could lead to an attacker's actions not being logged in the audit log.

CVE-2018-3776 5.3 - Medium - August 12, 2018

Improper input validator in Nextcloud Server prior to 12.0.3 and 11.0.5 could lead to an attacker's actions not being logged in the audit log.

Insertion of Sensitive Information into Log File

Nextcloud Server before 12.0.8 and 13.0.3 suffer from improper authentication on the OAuth2 token endpoint

CVE-2018-3761 8.1 - High - July 05, 2018

Nextcloud Server before 12.0.8 and 13.0.3 suffer from improper authentication on the OAuth2 token endpoint. Missing checks potentially allowed handing out new tokens in case the OAuth2 client was partly compromised.

authentification

Nextcloud Server before 12.0.8 and 13.0.3 suffers from improper checks of dropped permissions for incoming shares

CVE-2018-3762 4.3 - Medium - July 05, 2018

Nextcloud Server before 12.0.8 and 13.0.3 suffers from improper checks of dropped permissions for incoming shares allowing a user to still request previews for files it should not have access to.

Improper Preservation of Permissions

Nextcloud Server before 11.0.3 is vulnerable to disclosure of valid share tokens for public calendars due to a logical error

CVE-2017-0894 4.3 - Medium - May 08, 2017

Nextcloud Server before 11.0.3 is vulnerable to disclosure of valid share tokens for public calendars due to a logical error. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token.

AuthZ

Nextcloud Server before 11.0.3 is vulnerable to an improper session handling

CVE-2017-0892 3.5 - Low - May 08, 2017

Nextcloud Server before 11.0.3 is vulnerable to an improper session handling allowed an application specific password without permission to the files access to the users file.

Session Fixation

Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module

CVE-2017-0890 5.4 - Medium - May 08, 2017

Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

XSS

Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Content-Spoofing vulnerability in the "files" app

CVE-2017-0888 4.3 - Medium - April 05, 2017

Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Content-Spoofing vulnerability in the "files" app. The top navigation bar displayed in the files list contained partially user-controllable input leading to a potential misrepresentation of information.

Improper Input Validation

Nextcloud Server before 9.0.55 and 10.0.2 suffers from a bypass in the quota limitation

CVE-2017-0887 4.3 - Medium - April 05, 2017

Nextcloud Server before 9.0.55 and 10.0.2 suffers from a bypass in the quota limitation. Due to not properly sanitizing values provided by the `OC-Total-Length` HTTP header an authenticated adversary may be able to exceed their configured user quota. Thus using more space than allowed by the administrator.

Improper Input Validation

Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Denial of Service attack

CVE-2017-0886 6.5 - Medium - April 05, 2017

Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Denial of Service attack. Due to an error in the application logic an authenticated adversary may trigger an endless recursion in the application leading to a potential Denial of Service.

Stack Exhaustion

Nextcloud Server before 9.0.55 and 10.0.2 suffers from a error message disclosing existence of file in write-only share

CVE-2017-0885 4.3 - Medium - April 05, 2017

Nextcloud Server before 9.0.55 and 10.0.2 suffers from a error message disclosing existence of file in write-only share. Due to an error in the application logic an adversary with access to a write-only share may enumerate the names of existing files and subfolders by comparing the exception messages.

Information Disclosure